b"Audit Report\n\n\n\n\nOIG-14-034\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is\nNot Sufficiently Documented\nApril 21, 2014\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\n\nAudit Report\n Background .................................................................................................... 2\n\n Results of Audit .............................................................................................. 4\n\n   OCC Has Updated Guidance to Banks on Managing Risks Related to\n   the Use of Third Parties .................................................................................4\n   OCC Examiners' Review of the Use of Third Parties by Smaller\n   Financial Institutions is Not Sufficiently Documented .........................................6\n\n Recommendation ............................................................................................ 9\n\n\nAppendices\n Appendix 1: Objectives, Scope, and Methodology .............................................11\n\n Appendix 2: Management Comments ...............................................................13\n\n Appendix 3: Major Contributors to This Report ..................................................15\n\n Appendix 4: Report Distribution .......................................................................16\n\n\nAbbreviations and Acronyms\n CFPB                  Consumer Financial Protection Bureau\n EIC                   examiner-in-charge\n FDIC                  Federal Deposit Insurance Corporation\n FFIEC                 Federal Financial Institutions Examinations Council\n FRB                   Board of Governors of the Federal Reserve System\n IT                    information technology\n MDPS                  multi-regional data processing servicer\n NCUA                  National Credit Union Administration\n OCC                   Office of the Comptroller of the Currency\n\n\n\n\n                        OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is Not Sufficiently      Page i\n                        Documented (OIG-14-034)\n\x0c         This page intentionally left blank.\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is Not Sufficiently   Page ii\nDocumented (OIG-14-034)\n\x0c                                                                                       Audit\nOIG\nThe Department of the Treasury\n                                                                                       Report\nOffice of Inspector General\n\nAudit Report\n\n\n\n\n                  April 21, 2014\n\n                  Thomas J. Curry\n                  Comptroller of the Currency\n\n                  This report presents the results of our audit of the Office of the\n                  Comptroller of the Currency\xe2\x80\x99s (OCC) supervision of the use of\n                  third-party service providers (hereafter referred to as third parties)\n                  by national banks and federal savings associations. This is an OCC\n                  operation that we had not previously reviewed.\n\n                  Our audit objective was to evaluate the sufficiency and\n                  effectiveness of OCC\xe2\x80\x99s procedures for supervising the use of third\n                  parties by national banks and federal savings associations. We\n                  interviewed OCC personnel responsible for supervising banks\xe2\x80\x99 use\n                  of third parties and reviewed relevant OCC documentation, such as\n                  policies, procedures, and guidance, as well as similar documents\n                  issued by other federal regulatory agencies. We conducted our\n                  audit fieldwork from July 2012 through July 2013. Appendix 1\n                  contains a more detailed description of our objectives, scope, and\n                  methodology.\n\n                  In brief, we found that OCC provided guidance to banks on\n                  managing risks related to the use of third parties. OCC Bulletin\n                  2001-47, \xe2\x80\x9cThird-Party Relationships: Risk Management Principles\xe2\x80\x9d\n                  was in effect during our audit. Although generally comprehensive,\n                  the guidance needed to be updated. Subsequent to the end of our\n                  fieldwork, OCC issued new risk-management guidance related to\n                  third-party relationships for national banks and federal savings\n                  associations.\n\n                  In addition, we found that, as part of their examinations, OCC\n                  examiners conclude upon the adequacy of bank processes for\n                  managing risks related to the use of third parties. However, we\n                  found that examination workpapers related to the use of third\n                  parties by smaller financial institutions often do not leave a clear\n\n\n                  OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is Not Sufficiently   Page 1\n                  Documented (OIG-14-034)\n\x0c             enough audit trail to enable a reviewer to determine how the\n             conclusions were reached.\n\n             We are recommending that OCC reinforce to examination staff the\n             need for workpapers to contain essential information to support\n             conclusions about banks\xe2\x80\x99 governance of third parties. Essential\n             information should include the procedures performed and the\n             results upon which the conclusions are based.\n\n             In a written response, which is included as appendix 2, OCC\n             management stated that it will communicate to examiners, via\n             memorandum and discussion, the expectations for documentation\n             when reviewing a bank\xe2\x80\x99s risk regarding third-party service\n             providers. Additionally, OCC will update relevant booklets of the\n             Comptroller\xe2\x80\x99s Handbook to incorporate references to OCC guidance\n             on third party service providers, and revise the Community Bank\n             Supervision booklet to more clearly address procedures for scoping\n             reviews and monitoring of banks\xe2\x80\x99 reliance on third parties for\n             critical services. We consider these planned corrective actions as\n             responsive to our recommendation.\n\n\nBackground\n             Financial institutions use third parties to carry out significant parts\n             of their regulated and unregulated activities. Such third parties\n             could include vendors, agents, dealers, brokers, marketers, and\n             bank service companies that have entered into a business\n             relationship with an insured depository institution. A third party can\n             be a bank or a nonbank, affiliated or not affiliated, domestic or\n             foreign. Use of third parties can cross many business activities and\n             may include information technology (IT) services, such as\n             applications development, programming, and coding; specific\n             banking and administrative operations, such as aspects of finance\n             and accounting; back-office activities, processing, and\n             administration; and other contract functions, such as call centers.\n             Third party arrangements can be complex and have the potential to\n             transfer risk management and compliance to third parties who may\n             not be regulated and who may operate offshore. Industry and\n             regulators acknowledge that this increased reliance on third parties\n\n\n\n             OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is    Page 2\n             Not Sufficiently Documented (OIG-14-034)\n\x0c                         may affect the ability of the regulated entities to manage their risks\n                         and monitor their compliance with regulatory requirements.\n\n                         OCC supervises 1,971 banking institutions with total assets of\n                         approximately $10 trillion, 1 but it does not maintain statistical data\n                         on third party use by the financial institutions under its supervision.\n\n                         Under the Bank Service Company Act, OCC has the authority to\n                         supervise third parties engaged by national banks and federal\n                         savings associations for the performance of any applicable\n                         functions of the regulated institution\xe2\x80\x99s internal operations. 2 OCC\xe2\x80\x99s\n                         supervision of an institution\xe2\x80\x99s use of third parties includes the\n                         promulgation of guidance requiring boards of directors and\n                         management of national banks and federal savings associations to\n                         oversee and manage third-party relationships, 3 the evaluation of the\n                         third party governance process at individual regulated financial\n                         institutions, and the direct examination of certain larger technology\n                         service providers.\n\n                         Technology service providers that service a large number of insured\n                         financial institutions supervised by more than one federal financial\n                         institution regulator may be subject to interagency examinations\n                         performed under the auspices of the Federal Financial Institutions\n                         Examination Council\xe2\x80\x99s (FFIEC) Multi-Regional Data Processing\n                         Servicers (MDPS) program. 4 Two FFIEC publications provide a\n\n1\n    According to OCC\xe2\x80\x99s 2012 Annual Report, OCC supervised 1,351 national banks, 573 federal savings\n    associations, and 47 federal branches of foreign banks in the United States. National bank and federal\n    branch assets totaled $9.2 trillion, and federal savings association assets totaled $803.1 billion.\n2\n    12 U.S.C. \xc2\xa7 1867 (c).\n3\n    OCC Bulletin 2001-47, \xe2\x80\x9cThird-Party Relationships: Risk Management Principles,\xe2\x80\x9d Nov. 2001, was in\n    effect during our audit. Subsequent to the end of our fieldwork, OCC issued Bulletin 2013-29, \xe2\x80\x9cThird-\n    Party Relationships: Risk Management Guidance,\xe2\x80\x9d on October 30, 2013.\n4\n    The council is a formal interagency body empowered under 12 U.S.C. Chapter 34, Federal Financial\n    Institutions Examination Council, to prescribe uniform principles, standards, and report forms for the\n    federal examination of financial institutions by the Board of Governors of the Federal Reserve System\n    (FRB), the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance Corporation\n    (FDIC), the National Credit Union Administration (NCUA), and OCC. The council also makes\n    recommendations to promote uniformity in the supervision of financial institutions. The MDPS\n    program is a cooperative arrangement among the agencies for the achievement of shared and\n    consistent supervisory goals and objectives. As a general rule, a technology service provider is\n    considered for the MDPS program when the provider processes mission-critical applications for a large\n    number of financial institutions that are regulated by more than one agency, thereby posing a high\n    degree of systems risk, or from a number of data centers located in different geographic regions. As\n    of December 2012, there were 15 technology service providers subject to the MDPS program.\n\n                        OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is               Page 3\n                        Not Sufficiently Documented (OIG-14-034)\n\x0c                         framework for the direct oversight of these large technology\n                         service providers:\n\n                         \xe2\x80\xa2   IT Examination Handbook: Supervision of Technology Service\n                             Providers\n\n                         \xe2\x80\xa2   Federal Regulatory Agencies\xe2\x80\x99 Administrative Guidelines:\n                             Implementation of Interagency Programs for the Supervision of\n                             Technology Service Providers\n\n                         The IT Examination Handbook also guides OCC examiners in the\n                         conduct of direct examinations of technology service providers. 5\n                         Such reviews are a part of OCC\xe2\x80\x99s supervision of third parties used\n                         by regulated institutions.\n\n                         Our audit focused on OCC\xe2\x80\x99s supervision of individual financial\n                         institution\xe2\x80\x99s use of third parties. Accordingly, the direct\n                         examinations of technology service providers under the MDPS or\n                         by OCC were not included within the scope of this audit.\n\n\nResults of Audit\n                         OCC Has Updated Guidance to Banks on Managing Risks\n                         Related to the Use of Third Parties\n                         During our audit period, OCC Bulletin 2001-47, \xe2\x80\x9cThird-Party\n                         Relationships: Risk Management Principles,\xe2\x80\x9d served as the\n                         guidance to banks on managing the risks related to third-party\n                         relationships. In this guidance, OCC established an expectation that\n                         boards of directors and management of banks should properly\n                         oversee and manage third-party relationships. OCC Bulletin\n                         2001-47 was generally comprehensive but outdated. For example,\n                         it did not reflect the recent broader focus on operational risk rather\n                         than transaction risk.\n\n\n\n\n5\n    While the MDPS program provides for interagency examinations of technology service providers,\n    federal or state regulatory agency are not precluded from conducting an independent examination of\n    any technology service provider that is servicing an insured financial institution for which the agency\n    is responsible.\n\n                         OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is                Page 4\n                         Not Sufficiently Documented (OIG-14-034)\n\x0cIn October 2013, OCC issued updated risk-management guidance\nrelated to third-party relationships for national banks and federal\nsavings associations. This issuance, OCC Bulletin 2013-29, \xe2\x80\x9cThird-\nParty Relationships: Risk Management Guidance,\xe2\x80\x9d rescinded\nBulletin 2001-47. OCC personnel stated that the new guidance\nprovides a more comprehensive instruction for banks to ensure that\nthird-party relationships, especially those that involve critical bank\nactivities, are conducted in a safe and sound manner. We agree\nwith this assessment. While the new guidance reiterates that a\nbank should adopt risk-management processes commensurate with\nthe level of risk and complexity of its third-party relationships, it\ngoes into greater detail than OCC Bulletin 2001-47 in defining\nattributes of an effective risk-management process for third-party\nrelationships. These attributes include:\n\n\xe2\x80\xa2   plans that outline the bank\xe2\x80\x99s strategy, identify the inherent risks\n    of the activity, and detail how the bank selects, assesses, and\n    oversees the third party;\n\n\xe2\x80\xa2   proper due diligence in selecting a third party;\n\n\xe2\x80\xa2   written contracts that outline the rights and responsibilities of\n    all parties;\n\n\xe2\x80\xa2   ongoing monitoring of the third party\xe2\x80\x99s activities and\n    performance;\n\n\xe2\x80\xa2   contingency plans for terminating the relationship in an effective\n    manner;\n\n\xe2\x80\xa2   clear roles and responsibilities for overseeing and managing the\n    relationship and risk-management process;\n\n\xe2\x80\xa2   documentation and reporting that facilitates oversight,\n    accountability, monitoring, and risk management; and\n\n\xe2\x80\xa2   independent reviews that allow bank management to determine\n    that the bank\xe2\x80\x99s process aligns with its strategy and effectively\n    manages risks.\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is     Page 5\nNot Sufficiently Documented (OIG-14-034)\n\x0cOCC Examiners\xe2\x80\x99 Review of the Use of Third Parties by\nSmaller Financial Institutions is Not Sufficiently\nDocumented\nWe reviewed examination workpapers supporting OCC\xe2\x80\x99s\nsupervision of 18 banks\xe2\x80\x99 use of third parties for the two most\nrecent examination cycles. These institutions included 2 large\nbanks, 2 midsize banks, 10 community banks, and 4 federal\nsavings associations. For all banks, OCC examiners reached\nconclusions related to the banks\xe2\x80\x99 management of third parties;\nhowever, OCC had comprehensive workpapers documenting the\nnature and scope of the work performed to reach those\nconclusions for only four banks (two large banks, one midsize\nbank, and one federal savings association). Workpapers detailing\nexamination procedures at the remaining, mostly smaller,\ninstitutions were limited. The quantity of workpapers supporting\nthe conclusions at these banks varied but often did not identify the\nextent to which the institution used third parties, identify the\ndegree of risk presented to the institution\xe2\x80\x99s operations by the third\nparties, or document detailed procedures that validated the\ninstitution\xe2\x80\x99s compliance with OCC Bulletin 2001-47.\n\nOCC officials told us that examiners did evaluate the use of third\nparties at these institutions and that the work was generally\ntargeted on assessing the institution\xe2\x80\x99s compliance with OCC\nBulletin 2001-47. The nature and scope of this work depended on\nthe examiner\xe2\x80\x99s knowledge of the institution, prior examination\nresults, an assessment of the risk to the institution, and the\nresources available to the examination team. We noted that the\n\xe2\x80\x9cCommunity Bank Supervision\xe2\x80\x9d booklet of the Comptroller\xe2\x80\x99s\nHandbook allows for the execution of limited procedures (that is,\nminimum objectives) in areas where the examiners deem low-risk.\nFor these areas, examiners determine whether significant changes\nhave occurred in the bank\xe2\x80\x99s risk profile, including business\nactivities, management performance, or condition of the area, as\ncompared to the profile noted in the previous supervisory cycle. If,\nafter completion of the minimum objectives, examiners identify no\nsignificant changes in the institution\xe2\x80\x99s risk profile, they can choose\nnot to perform further work in the low risk area.\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is    Page 6\nNot Sufficiently Documented (OIG-14-034)\n\x0cAs noted previously, the workpapers that we reviewed often did\nnot identify the extent to which the institution used third parties or\nthe degree of risk presented to the institution\xe2\x80\x99s operations by these\nthird parties. The workpapers often did not leave a clear audit trail\nor contain enough documentation to enable a reviewer to\nunderstand how OCC examiners reached their conclusions on third\nparties.\n\nOCC officials also told us that variations in or absence of\ndocumentation detailing examiners\xe2\x80\x99 evaluation of third parties can\nbe explained by the following factors:\n\n\xe2\x80\xa2   Given limited examiner resources, especially for smaller\n    institutions, OCC examiners focus on documenting their work in\n    areas considered high-risk and on supporting negative assertions\n    that could be subject to challenge by the bank\xe2\x80\x99s management.\n    As a result, based on their knowledge of the bank, examiners\n    may not spend resources documenting the work supporting\n    their conclusion when they know the third party or other area\n    they are looking at is in \xe2\x80\x9cgood shape\xe2\x80\x9d. For example, examiners\n    may have discussions on the topic of third parties and vendor\n    management, but if it is determined that management\xe2\x80\x99s process\n    is satisfactory, there may not be any documentation of these\n    discussions in the workpapers.\n\n\xe2\x80\xa2   In such cases where a process is satisfactory, sign off by the\n    examiner-in-charge (EIC) on the conclusion statement in the\n    workpapers is considered sufficient to document that adequate\n    work was performed to reach that conclusion.\n\n\xe2\x80\xa2   When evaluating the use of third parties in smaller institutions,\n    the examiner\xe2\x80\x99s review will tend to be business-line oriented.\n    Although there may not be documentation of the testing of\n    specific third parties for compliance with the institution\xe2\x80\x99s\n    vendor-management process, third parties may be evaluated\n    during the review of the business line to which they relate. Our\n    review of OCC workpapers found instances in which concerns\n    with a third party were noted in the conclusion statements for\n    specific business lines of the banks. While this indicates that\n    the examiners reviewed third parties during their examination,\n    the nature and extent of procedures applied to third parties\n    were not usually described.\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is    Page 7\nNot Sufficiently Documented (OIG-14-034)\n\x0c                       We acknowledge OCC\xe2\x80\x99s desire to have examiners focus\n                       examination procedures on areas of risk and its willingness to rely\n                       on the experience, institutional knowledge, and judgment of the\n                       examination team\xe2\x80\x94especially the EIC. OCC policy PPM 5400-8\n                       states that, in most cases, supervision workpapers need not\n                       include all of the data reviewed during a supervisory activity.\n                       However, the policy also states that workpapers must contain all\n                       essential information required to support conclusions about\n                       supervisory activities. 6 In addition, workpapers should clearly\n                       document which examination procedures were performed and\n                       whether they were performed fully or partially. To comply with this\n                       guidance, we believe that workpapers should contain, at a\n                       minimum, a description of the procedures performed and the\n                       results of the review on which the conclusions are based.\n\n                       Several publications describe aspects of third party examination:\n\n                       \xe2\x80\xa2   OCC Bulletin 2001-47 broadly addresses the OCC supervisory\n                           approach.\n\n                       \xe2\x80\xa2   Both the FFIEC IT Examination Handbook and Federal\n                           Regulatory Agencies\xe2\x80\x99 Administrative Guidelines, while directed\n                           toward IT examiners for use in IT focused exams, describe in\n                           detail the processes for examining service-provider governance.\n\n                       \xe2\x80\xa2   The \xe2\x80\x9cCommunity Bank Supervision\xe2\x80\x9d and \xe2\x80\x9cInternal and External\n                           Audits\xe2\x80\x9d booklets contain guidance and examination procedures\n                           addressing governance of outsourced internal audit\n                           arrangements.\n\n                       \xe2\x80\xa2   The \xe2\x80\x9cRetail Lending Examination Procedures\xe2\x80\x9d booklet of the\n                           Comptroller\xe2\x80\x99s Handbook provides detailed procedures to address\n                           the extent of third-party involvement in retail lending activities\n                           and evaluating the effectiveness of management\xe2\x80\x99s third-party\n                           oversight and risk-management processes.\n\n                       However, the Comptroller\xe2\x80\x99s Handbook lacked separate guidance to\n                       cover examination procedures and documentation requirements for\n                       supervising an institution\xe2\x80\x99s governance of both IT and non-IT third\n\n6\n    OCC, Policy and Procedures Manual (PPM) 5400-8 (REV), \xe2\x80\x9cBank Supervision: Supervision Work\n    Papers,\xe2\x80\x9d Oct. 23, 2002.\n\n                       OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is           Page 8\n                       Not Sufficiently Documented (OIG-14-034)\n\x0c           parties during regular safety and soundness examinations. Specific\n           guidance or training targeted at examination teams at similar\n           institutions, with similar resource constraints, may prove useful to\n           OCC in promoting sufficient documentation.\n\n\nRecommendation\n           We recommend that the Comptroller of the Currency reinforce to\n           examination staff the need for workpapers to contain essential\n           information to support conclusions about banks\xe2\x80\x99 governance of\n           third parties, as required by PPM 5400-8. Essential information\n           should include the procedures performed and the results upon\n           which the conclusions are based.\n\n           Management Response\n\n           OCC will issue a memorandum highlighting expectations for\n           complying with PPM 5400-8 when examiners review a bank\xe2\x80\x99s risk\n           regarding third-party service providers. OCC management will\n           direct front line managers responsible for the supervision of\n           community and midsize banks to discuss this issue with the\n           examiners they supervise by September 30, 2014.\n\n           OCC will also incorporate references to OCC Bulletin 2013-29, its\n           updated guidance on managing risks associated with third-party\n           relationships, into relevant booklets of the Comptroller\xe2\x80\x99s Handbook\n           as they cycle through the periodic review and revision process. In\n           addition, the \xe2\x80\x9cCommunity Bank Supervision\xe2\x80\x9d booklet, which sets\n           forth procedures for examining smaller banks, will be revised to\n           include more explicit language and procedures for scoping reviews\n           and ongoing monitoring of banks\xe2\x80\x99 reliance on third parties for\n           critical services.\n\n           OIG Comment\n\n           OCC\xe2\x80\x99s planned corrective actions are responsive to our\n           recommendation.\n\n                                          * * * * *\n\n\n           OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 9\n           Not Sufficiently Documented (OIG-14-034)\n\x0cWe appreciate the courtesies and cooperation provided to our staff\nduring the audit. If you wish to discuss the report, you may\ncontact me at (202) 927-0384 or James Lisle, Audit Manager, at\n(202) 927-6345. Major contributors to this report are listed in\nAppendix 3.\n\n\n\n\nJeffrey Dye /s/\nDirector, Banking Audits\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 10\nNot Sufficiently Documented (OIG-14-034)\n\x0c                         Appendix 1\n                         Objectives, Scope & Methodology\n\n\n\n                         Appendix 1: Objectives, Scope, and Methodology\n                         Our objective was to evaluate the sufficiency of the Office of the\n                         Comptroller of the Currency\xe2\x80\x99s (OCC) existing procedures for\n                         supervising the use of third-party service providers (third parties)\n                         by national banks and federal savings associations, as well as the\n                         effectiveness of the application of these procedures. To accomplish\n                         these objectives, we:\n\n                         \xe2\x80\xa2   interviewed OCC personnel responsible for supervising banks\xe2\x80\x99\n                             use of third parties;\n\n                         \xe2\x80\xa2   reviewed OCC examination policies, procedures, and guidance\n                             related to supervision of banks\xe2\x80\x99 use of third parties, as well as\n                             those issued by other federal regulatory agencies, such as the\n                             Board of Governors of the Federal Reserve System (FRB) and\n                             the Federal Deposit Insurance Corporation (FDIC);\n\n                         \xe2\x80\xa2   reviewed bulletins, bank guidance, and white papers, issued by\n                             the OCC and other federal regulatory agencies discussing risks\n                             involved in banks\xe2\x80\x99 use of third parties. These documents\n                             reviewed included: OCC Bulletin 2001-47, Third-Party\n                             Relationships: Risk Management Principles; OCC Advisory Letter\n                             2000-9 Third Party Risk; OCC 2002-16 Bank Use of Foreign-\n                             Based Third Party Service Providers; OCC Bulletin 2013-29,\n                             Third-Party Relationships: Risk Management Guidance; FDIC\n                             Financial Institution Letter 44-2008 Guidance for Managing\n                             Third-Party Risk; FRB NY Outsourcing Financial Services\n                             Activities: Industry Practices to Mitigate Risks October 1999;\n                             FRB Philadelphia Vendor Risk Management 1st Qtr 2011; and\n                             FRB DC SR-00-04 Outsourcing of Information and Transaction\n                             Processing; and\n\n                         \xe2\x80\xa2   reviewed workpapers covering two examination cycles for 18\n                             banks selected in proportion to the number of banks in each of\n                             OCC\xe2\x80\x99s supervision categories. 7 Typical documents reviewed\n\n7\n    OCC supervises both national banks and federal savings associations. For supervision purposes,\n    national banks are categorized by size: large banks include the largest national banking companies\n    which generally are involved in the most complex activities and operate over wide geographic areas;\n    midsize banks (generally assets of $10 billion to $50 billion); and community banks (generally assets\n    of less than $10 billion). According to data extracted from the institution directory at FDIC\xe2\x80\x99s website\n    as of September 2012, OCC supervised 19 large banks, 17 midsize banks, 1,235 community banks,\n    and 569 federal savings associations. We selected 2 large banks, 2 midsize banks, 10 community\n    banks, and 4 savings associations for testing.\n\n                         OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is               Page 11\n                         Not Sufficiently Documented (OIG-14-034)\n\x0cAppendix 1\nObjectives, Scope & Methodology\n\n\n\n\n    included reports of examinations, supervisory letters and/or\n    conclusion memos, scope memos, examination planning request\n    letters, core assessments, risk assessments, supervisory\n    strategies, work activities, and examination procedures.\n\nWe performed our audit fieldwork from July 2012 through July\n2013. We did not include reviews of technology service providers\nunder the Federal Financial Institutions Examination Council (FFIEC)\nMulti-Regional Data Processing Servicer (MDPS) program or by\nOCC.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 12\nNot Sufficiently Documented (OIG-14-034)\n\x0cAppendix 2\nManagement Comments\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 13\nNot Sufficiently Documented (OIG-14-034)\n\x0cAppendix 2\nManagement Comments\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 14\nNot Sufficiently Documented (OIG-14-034)\n\x0c                 Appendix 3\n                 Major Contributors to This Report\n\n\n\n: Management Comments\n                Appendix 3: Report\n                 James Lisle, Audit Manager\n                 Adelia Gonzales, Auditor-in-Charge\n                 Marco Uribe, Auditor\n                 Cecilia Howland, Referencer\n\n\n\n\n                OCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 15\n                Not Sufficiently Documented (OIG-14-034)\n\x0cAppendix 4\nReport Distribution\n\n\n\nAppendix 4: Report Distribution\n\nDepartment of the Treasury\n\n   Deputy Secretary\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n   Group\n\nOffice of the Comptroller of the Currency\n\n   Comptroller of the Currency\n   Liaison Officer\n\nOffice of Management and Budget\n\n   OIG Budget Examiner\n\n\n\n\nOCC\xe2\x80\x99s Review of Banks\xe2\x80\x99 Use of Third Party Service Providers Is   Page 16\nNot Sufficiently Documented (OIG-14-034)\n\x0c"